In a specially crafted packet attack, attackers customize their approach to DDoS. Attention from the security community has recently focused more on these kinds of fragmented and application-layer DDoS attacks, in addition to the volumetric and amplified DDoS attacks that we are all so aware of.
In every kind of computing system, there are specific vulnerabilities that exist. Various unwanted activities can unfold after a criminal takes advantage of a vulnerability, such as Remote Code Execution and Denial of Service Condition.
Remote Code Execution involves the exploitation of poorly written code, usually for data exfiltration purposes whereas Denial of Service Condition exploits protocol and application weaknesses to force systems offline.
A wide range of specially crafted DDoS attacks have occurred and been discussed in the public. If you search for “Cisco IOS Denial of Service” in the U.S.’ Computer Emergency Readiness Team (US-CERT) website, the search returns almost 5,000 results. Many of these advisories relate to DoS vulnerabilities that have involved specially crafted packets targeting Cisco IOS.
In 2011, the killapache.pl Perl script was released online by a security researcher by the name of Kingcope. Killapache.pl sends GET requests with multiple byte ranges that consume large amounts of memory. This kind of script exploits a weakness in a similar way to certain versions of Apache process specially-crafted HTTP requests. Ultimately, the script can take the system offline by consuming huge amounts of CPU. It is effective at forcing system crashes and reboots because rather than consuming bandwidth, it instead consumes as much memory or CPU as possible.
In addition to targeting these kinds of vulnerability, specially crafted DDoS attacks also often involve hackers going after websites with poor designs or improper integration with their backend. Attackers can exploit vulnerabilities in HTTP, SQL, SIP, DNS etc., and generate specially crafted packets to leverage these protocol “stack” vulnerabilities and force the servers offline. They can also generate a huge number of requests to lock up database queries. These attacks are effective because they are so highly customized and consume very large amounts of server resources.
Specially crafted attacks are frequently launched from a single attacker. By their very nature, they require the skills of someone with expertise in launching DDoS attacks. As we know, often the vulnerability assessment tools developed by network administrators to test for possible weaknesses in a system are often then used by malevolent hackers to find vulnerabilities and exploit them to their benefit. Packet crafting is similar, and it is frequently difficult to detect and diagnose because it is usually so technically advanced.